Navigation

jjw · #1 8th September 2006, 13:39

I've followed the how to here:
http://www.howtoforge.com/howto_post...uth_tls_howto/

And thanks to Falko for pointing out mirrors for the sources in the above tutorial.
http://www.filewatcher.com/b/ftp/ftp...stfix.0.0.html

I've gone through the complete install. No errors. I've added Dovecot (1.0) so I can retreieve email using pop. I've added users and and domains, and I can send mail to and from these clients using TLS/SSL. But I cannot get the server to authenticate smtp.

Can anyone help me? Where would I look for errors? I see nothing in messages, maillog, or the dovecot logs.

This is driving me crazy...

jjw · #2 8th September 2006, 13:45

telnet localhost 25
ehlo localhost

Quote:

250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-XVERP
250 8BITMIME

main.cf

Code:

virtual_mailbox_domains = domain1.com, domain2.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/etc/postfix/virtual
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 450
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
mydomain = wnetworks.net
myhostname = mail.$mydomain
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
inet_interfaces = all
alias_maps = hash:/etc/aliases
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

master.cf

Code:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd   -v
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission     inet    n       -       n       -       -       smtpd
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
#tlsmgr   fifo  -       -       n       300     1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

jjw · #3 8th September 2006, 14:15

Using saslauthd to check credentials:

Code:

#> /usr/sbin/testsaslauthd -u user_domain.com -p userpassword 
0: OK "Success."

I am using Dovecot's 'auth_username_translation':
auth_username_translation = @_

That is why above I use user_domain.com and below I use user@domain.com

Encoded username/password:

Code:

#> perl -MMIME::Base64 -e 'print encode_base64("user@domain.com\0user@domain.com\0userspassword");'
encodedpasswordoutput

Trying the encoded password via command prompt:

Code:

#> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.wnetworks.net ESMTP Postfix
#> ehlo localhost
250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-XVERP
250 8BITMIME
#> AUTH PLAIN encodedpasswordoutput
535 Error: authentication failed

jjw · #4 8th September 2006, 14:53

Here is the output in my maillog re authentication when attempting from command line (the one I showed the telnet out from above):

Code:

Sep  8 07:53:33 mail postfix/smtpd[6790]: < localhost.localdomain[127.0.0.1]: AUTH PLAIN encodedpasswordoutput
Sep  8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response encodedpasswordoutput
Sep  8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: decoded initial response domain2.com
Sep  8 07:53:33 mail postfix/smtpd[6790]: warning: SASL authentication failure: Password verification failed
Sep  8 07:53:33 mail postfix/smtpd[6790]: warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed
Sep  8 07:53:33 mail postfix/smtpd[6790]: > localhost.localdomain[127.0.0.1]: 535 Error: authentication failed

jjw · #5 8th September 2006, 15:04

Thinking that perhaps I should not use the '@' and use the '_' instead, I got the new encoded credentials:

Code:

#> perl -MMIME::Base64 -e 'print encode_base64("user_domain.com\0user_domain.com\0userspassword");'
encodedpasswordoutput--2

And tried to telnet in:

Code:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.wnetworks.net ESMTP Postfix
ehlo localhost
250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-XVERP
250 8BITMIME
AUTH PLAIN encodedpasswordoutput--2
235 Authentication successful

Voila!

The main problem however, is that the remote mail client is told that the server does not support secure authentication, before I have a chance to send a password.

falko · #6 9th September 2006, 14:39

Quote:

Originally Posted by jjw

The main problem however, is that the remote mail client is told that the server does not support secure authentication, before I have a chance to send a password.

What are the exact error messages in your email client and in the mail log?

jjw · #7 9th September 2006, 15:16

Thanks Falko.

Exact error in mail client:
"Mail server does not support secure authentication"

There are no entries in the maillog.

till · #8 9th September 2006, 17:47

Please remove the # sign in front of the lines:

Quote:

#smtps inet n - n - - smtpd

and

Quote:

#tlsmgr fifo - - n 300 1 tlsmgr

in your main.cf file and restart po postfix to enable secure authentication.

jjw · #9 9th September 2006, 18:25

Thank you for the reply Till.

I assume you meant master.cf, and I uncommented those lines, rebooted, and I am still getting the error message "Mail server does not support secure authentication."...

jjw · #10 9th September 2006, 21:23

This is sooooo odd.

Here it is a couple of hours later. I *think* the server is now authenticating. I did nothing at all, just walked away.

I open up Thunderbird, and fired off a mail to a remote location. It was relayed OK. Then, I fired up my Outlook Express, and sent a mail, and I think it worked! /var/log/maillog shows the mail getting through!

I'm going to keep my eye on things here, but thank you for the help, Falko and Till. I think I'll just hang out here for a while if that's ok. I'm learning a lot from all the threads here...

Navigation

Facebook

News

Recent comments

Newsletter